🛡️

Bug Bounty Program

We believe in collaborative security. Help us keep Sitemap.xml safe, and we'll reward your expertise. Responsible disclosure is always welcome.

📧 Submit a Report

Program Scope

What's In & Out of Scope

Focus your efforts on our core infrastructure and APIs. We reward targeted, responsible testing.

✅ In Scope

● API endpoints (`api.sitemap.xml/v1/*`)
● Web application dashboard & admin panels
● Authentication, session management & OAuth flows
● Sitemap generation & parsing engines
● Infrastructure (CDN, edge functions, databases)
● Mobile SDKs & CLI tools

🚫 Out of Scope

● Social engineering, phishing, or DDoS
● Third-party integrations or customer domains
● Automated scanning tools without prior approval
● Issues in staging/test environments
● Low-severity findings without exploit chain
● Previously disclosed or publicly known vulnerabilities

Rewards

Severity-Based Payouts

We compensate fairly based on impact, exploitability, and effort. All payouts are issued within 14 days of verification.

Critical

$10k - $50k

RCE, complete account takeover, mass data breach, or authentication bypass affecting all users.

High

$3k - $10k

SQLi, XSS (stored/reflected), IDOR, privilege escalation, or sensitive data exposure.

Medium

$500 - $3k

CSRF, open redirects, rate limit bypass, session fixation, or minor info leaks.

Low / Info

$100 - $500

Security headers missing, minor misconfigurations, or best practice improvements.

How to Report

Submission Process

Follow these steps to ensure your report is processed quickly and rewarded fairly.

Document the Vulnerability

Provide a clear description, steps to reproduce, impact assessment, and proof-of-concept. Include HTTP requests/responses where applicable.

Submit via Email

Send your report to our dedicated security inbox. Use PGP encryption if preferred. We acknowledge all submissions within 48 hours.

security@sitemap.xml

Collaborate & Resolve

Our security team will triage, reproduce, and fix the issue. We'll keep you updated throughout the process and notify you when patched.

Receive Your Reward

Once verified and resolved, rewards are processed via PayPal, Wise, or crypto. Hall of Fame recognition is optional.

FAQ

Common Questions

Can I use automated scanners? +

Yes, but only light-duty, non-intrusive scanners. Do not run aggressive fuzzing, DDoS-style requests, or tools that may impact service availability. Prior approval is required for heavy testing.

What happens if I find a vulnerability in a third-party service? +

Report it directly to the third-party vendor. We cannot reward or triage vulnerabilities in services we do not own or control, though we may provide referrals.

Do you offer swag or alternative rewards? +

Yes! You can opt for branded Sitemap.xml merch, conference sponsorships, or donations to charity in lieu of monetary payouts. Mention your preference in the report.

Is there a safe harbor policy? +

Absolutely. As long as you act in good faith, do not access/modify other users' data, and avoid destructive testing, we will not pursue legal action. We welcome responsible researchers.

🛡️ Safe Harbor Guarantee

We will not initiate legal action against anyone who identifies and responsibly discloses security vulnerabilities. Your good-faith efforts are protected under our Responsible Disclosure Policy.